7 Biggest IT Compliance Headaches and How CIOs Can Cure Them

As if IT departments didn't have enough to worry about these days. They also have to ensure that the organization is in compliance with various industry and federal regulations (PCI, Sarbanes-Oxley, HIPAA) designed to keep sensitive customer data safe. An increasingly difficult task in today's decentralized, mobile, app-filled world. It's enough to give a CIO or CTO a headache.

"Compliance is a hot issue in IT, and for good reason," says Andrew Hodes, director of Technology at INetU, a cloud and managed hosting provider. "Failure to meet rules and guidelines set by compliance standards could mean fines, penalties and loss of trust."

The Biggest IT Compliance Challenges

But keeping the organization in compliance with industry and federal rules can be difficult, especially with more companies allowing workers to bring their own devices (BYOD). So what are some of the biggest challenges to keeping compliant? Dozens of technology pros and compliance experts share their top seven answers.

1. Employees. "Employees play a key role in protecting a company's sensitive data," says Jim Garrett, chief information security officer at 3M. "Low-tech methods like snooping, social-engineering or phishing are common techniques used by hackers against employees to gain unauthorized access to corporate information," he says.

"To overcome this threat, it's important to educate all employees on different ways information can be acquired through very low-tech methods and give them tools they can use, like protecting corporate data displayed on a laptop with a privacy filter while traveling or how to recognize phishing attacks, to help mitigate any risk," Garrett says.

"Having up-to-date security policies that are understandable to employees outside of IT is crucial," adds Scott Peeler, managing director, Stroz Friedberg, which specializes in investigations, intelligence and risk management. "Information security policies should cover the creation, transmission, transport and retention of information; when and how information can be disposed of or removed from corporate servers/storage; remote, wireless, electronic and physical access to the corporate network; and security precautions to use while traveling."

3. Mobile Devices. Mobile devices also pose serious security and compliance risks. "Regulated data isn't subject to a lower standard of protection just because it ends up on a mobile device," notes Ryan Kalember, chief product officer at WatchDox, a provider of secure mobile productivity and collaboration solutions.

Yet according to the recent 2013 Ponemon Institute study on The Risk of Regulated Data on Mobile Devices, "most organizations [have] weak controls in place to protect regulated data on mobile devices... and most employees, at one time or another, have circumvented or disabled required security settings on their mobile devices."

Therefore it is critical that "preventive measures should be taken to restrict unauthorized access to corporate data should a mobile device be lost or stolen," says Ray Paganini, CEO, Cornerstone IT, which provides managed IT services and support.

"These measures should be taken whether the device is enterprise-issued or not," he says. "However, it is best for security purposes to have a company mobile standard." His advice:

Enable devices and provide IT departments with the tools to perform a remote-wipe of sensitive data.

Configure mobile devices so that only authorized applications can be downloaded and/or accessed on them.

Invest in storage and data transmission encryption and other endpoint security tools.

"Corporate IT has grown to be complex and cumbersome, so end users have started using their own third-party services to get their jobs done, such as large file sending services," Scott-Cowley says. But oftentimes these apps or solutions are out of the organization's control, causing the IT department a major headache. "The best medicine to cure the headache? Educate end users; give CIOs the controlled power to constantly assess services for suitability; and deploy modern enterprise cloud solutions to solve overall compliance problems."

5. Cloud Service Providers. To ensure that sensitive data is being properly protected in the cloud, "choose a trusted service provider," says George Japak, managing director, ICSA Labs, an independent division of Verizon, and Verizon's HIPAA security officer.

"Cloud services present significant benefits in [terms] of cost savings, scalability, flexibility, etc." However, to ensure that your or your customer's data is properly protected and in compliance with all relevant regulations, "the vendor/service provider should...meet the underlying regulatory requirements, whether the cloud is engineered to be HIPAA-ready or to comply with PCI or FISMA standards, for instance," Japak says. Also check to see if vendors are SSAE 16 certified.

6. PCI. "Not only is it against card brand regulations if you're not Payment Card Industry (PCI) compliant when accepting credit/debit cards, but it's also an absolute must in today's economic climate of increasingly intelligent payment card theft," says Rob Bertke, senior vice president of product management, Sage Payment Solutions. "PCI certification provides assurance that a processor has passed a robust set of best practices for securing information when credit card payments are made."

"As IT professionals, we are often faced with the challenge of creating a secure cardholder data environment that can be proven compliant against multiple tests and PCI assessments," explains Ray Paganini, CEO, Cornerstone IT. To protect sensitive customer data, "use [a] firewall to segment cardholder information from the rest of your corporate network," he suggests. "Network segmentation limits the parts of your network that have contact with sensitive cardholder data and, when configured correctly, can reduce risk and costs, and narrow the scope of a PCI DSS audit."

"HIPAA has also placed an increased emphasis on the management of vendors, which directly affects healthcare CIOs' compliance obligations," adds Japak. Therefore, it's necessary for IT departments to perform due diligence and make sure they work with HIPAA-compliant cloud service vendors.

Jennifer Lonoff Schiff is a contributor to CIO.com and runs a marketing communications firm focused on helping organizations better interact with their customers, employees, and partners.

Latest Videos

Hear from Invictus Games Sydney 2019 CEO, Patrick Kidd OBE and Head of Technology, @James-d-smith -share their insights on how they partnered with Unisys to protect critical data over an open, public WiFi solution.

With so much change all the time, how can executives best prepare their businesses to meet the security challenges of the coming years? CSO Australia, in conjunction with Mimecast, explored this question in an interactive Webinar that looks at how the threat landscape has evolved – and what we can expect in 2019 and beyond.

According to new research conducted by the Ponemon Institute, Australia and New Zealand have the highest levels of data breaches out of the nine countries investigated. This was linked to heavy investment in security detection and an under-investment in security and vulnerability response capabilities

Copyright 2019 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.